I believe it's meant to rate-limit any sort of online attack (not just a keyboard-driven one). E.g., if someone's written a script that connects to AD via LDAP and guesses passwords, it can only test 10 passwords each 5 minutes on one DC, instead of, let's say, 50,000 per five minutes.
In the event that someone has the data to conduct an offline attack, well, yer hosed anyway... --Steve On Fri, Feb 17, 2012 at 8:48 AM, James Rankin <[email protected]> wrote: > I guess the original thinking behind this was to stop people who were trying > to guess your password by manually typing it in from a keyboard. The lockout > would convince them to stop trying. Now that most attacks of this fashion > are automated or offline, the duration probably isn't a factor. > > So yes, I'd agree, if one minute can stop a manual attacker from trying and > convince them to move on to something more constructive, the lockout > duration has done its job. However as others have said I'd be interested in > hearing some of our more security-minded experts chiming in with some > insight. > > On 17 February 2012 13:26, Sean Rector <[email protected]> wrote: >> >> I’d love to hear from the InfoSec peeps on this too – I currently have the >> lockout set at 30 minutes. I’m seriously considering dropping it down to 5. >> >> >> >> Sean Rector, MCSE >> >> >> >> From: Harry Singh [mailto:[email protected]] >> Sent: Thursday, February 16, 2012 8:16 PM >> >> >> To: NT System Admin Issues >> Subject: Re: Self-Service Account Unlock >> >> >> >> 500+ users here and am a big fan of account lockout durations of less than >> 5 minutes. Our annual security assessment advisor didn't like that very >> much, for reasons i'm still attempting to figure out. I've read several >> pieces of documentation suggesting keeping the lockout duration to even >> about 1 minute would be secure, but I'm far from an info sec expert. I'm >> eager to hear from the folks on this list who disagree with the lockout >> duration being set to anything higher than 5 minutes (for arguments sake). >> >> >> >> Harry. >> >> >> >> On Thu, Feb 16, 2012 at 7:22 PM, Kurt Buff <[email protected]> wrote: >> >> Well, since you're that understaffed, I'd personally set the timeout >> to 5 minutes, and let the students deal with it. I say that wearing my >> BOFH hat, but I don't think that it's all that unreasonable. >> >> >> On Thu, Feb 16, 2012 at 14:50, Blackman, Woody <[email protected]> >> wrote: >> > Well, in an academic environment, we have 35,000 students per semester >> > using about 2,000 resources (computers in labs) and about 6 people per >> > shift >> > to "help" them. They need access and we need automation/self-service >> > wherever there is opportunity. >> > >> > -----Original Message----- >> > From: Kurt Buff [mailto:[email protected]] >> >> > Sent: Thursday, February 16, 2012 2:37 PM >> >> >> > To: NT System Admin Issues >> >> > Subject: Re: Self-Service Account Unlock >> >> >> > >> > So, I have some questions regarding this: >> > >> > What is the rush on the part of the end user to have this done? They >> > can't wait 5 or 10 minutes for the unlock to happen automagically? >> > >> > How often do account lockouts happen that this is something worth >> > spending time and money on a solution? >> > >> > Frankly, with my user base of about 250 staff, I consider it unusual to >> > get as many as three requests in a month for account unlocks. >> > >> > Kurt >> > >> > On Thu, Feb 16, 2012 at 10:44, Sean Rector <[email protected]> >> > wrote: >> >> >> I’ve been looking through the multitude of options, but they all seem >> >> to be web-portal-based. Is there one that puts the Unlock option on >> >> the Logon Screen? >> >> >> >> >> >> >> >> My point is – what’s the use of a web-portal version when they can’t >> >> log on to their machine? A kiosk-type user account doesn’t seem the >> >> safest route to go. >> >> >> >> >> >> >> >> Sean Rector, MCSE >> >> >> >> >> >> >> >> Information Technology Manager >> >> Virginia Opera Association >> >> >> >> E-Mail: [email protected] >> >> Phone: (757) 213-4548 (direct line) {+} >> >> >> >> Tickets and Subscriptions On Sale Now! >> >> Orphée | The Mikado >> >> Visit us online at www.VaOpera.org or call 1-866-OPERA-VA >> >> >> >> Experience the Beauty, Power & Passion of Virginia Opera. >> >> >> >> ________________________________ >> >> >> >> This e-mail and any attached files are confidential and intended >> >> solely for the intended recipient(s). Unless otherwise specified, >> >> persons unnamed as recipients may not read, distribute, copy or alter >> >> this e-mail. Any views or opinions expressed in this e-mail belong to >> >> the author and may not necessarily represent those of Virginia Opera. >> >> Although precautions have been taken to ensure no viruses are present, >> >> Virginia Opera cannot accept responsibility for any loss or damage >> >> that may arise from the use of this e-mail or attachments. >> >> >> >> {*} >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> >> --- >> >> To manage subscriptions click here: >> >> http://lyris.sunbelt-software.com/read/my_forums/ >> >> or send an email to [email protected] >> >> with the body: unsubscribe ntsysadmin >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > --- >> > To manage subscriptions click here: >> > http://lyris.sunbelt-software.com/read/my_forums/ >> > or send an email to [email protected] >> > with the body: unsubscribe ntsysadmin >> > >> > >> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> > >> > --- >> > To manage subscriptions click here: >> > http://lyris.sunbelt-software.com/read/my_forums/ >> > or send an email to [email protected] >> > with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin > > > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > ***** IMPORTANT INFORMATION/DISCLAIMER ***** > > This document should be read only by those persons to whom it is addressed. > If you have received this message it was obviously addressed to you and > therefore you can read it, even it we didn't mean to send it to you. > However, if the contents of this email make no sense whatsoever then you > probably were not the intended recipient, or, alternatively, you are a > mindless cretin; either way, you should immediately kill yourself and > destroy your computer (not necessarily in that order). Once you have taken > this action, please contact us.. no, sorry, you can't use your computer, > because you just destroyed it, and possibly also committed suicide > afterwards, but I am starting to digress...... > > The originator of this email is not liable for the transmission of the > information contained in this communication. Or are they? Either way it's a > pretty dull legal query and frankly one I'm not going to dwell on. But > should you have nothing better to do, please feel free to ruminate on it, > and please pass on any concrete conclusions should you find them. However, > if you pass them on via email, be sure to include a disclaimer regarding > liability for transmission. > > In the event that the originator did not send this email to you, then please > return it to us and attach a scanned-in picture of your mother's brother's > wife wearing nothing but a kangaroo suit, and we will immediately refund you > exactly half of what you paid for the can of Whiskas you bought when you > went to Pets At Home yesterday. > > We take no responsibility for non-receipt of this email because we are > running Exchange 5.5 and everyone knows how glitchy that can be. In the > event that you do get this message then please note that we take no > responsibility for that either. Nor will we accept any liability, tacit or > implied, for any damage you may or may not incur as a result of receiving, > or not, as the case may be, from time to time, notwithstanding all > liabilities implied or otherwise, ummm, hell, where was I...umm, no matter > what happens, it is NOT, and NEVER WILL BE, OUR FAULT! > > The comments and opinions expressed herein are my own and NOT those of my > employer, who, if he knew I was sending emails and surfing the seamier side > of the Internet, would cut off my manhood and feed it to me for afternoon > tea. > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
